Kathy Hughes, CISO. PHOTO: Cybercrime Magazine.

CISO Report: Cybersecurity Culture At New York’s Largest Healthcare Provider

Kathy Hughes, VP & CISO at Northwell Health on security awareness training

David Braue

Melbourne, Australia – Mar. 7, 2023

The CISO Report is sponsored by KnowBe4.

As chief information security officer (CISO) of a $15 billion healthcare organization with 83,000 employees across nearly 200 sites, Kathy Hughes has an extremely full remit that spans security tools and technologies, threat management, vulnerability management, identity and access management, risk management, security governance, and maintaining policies and procedures.

Ask her which of her responsibilities is the most important, however, and she doesn’t miss a beat.

“Security awareness and training is probably the most important thing a CISO can do, and is responsible for,” Hughes told Cybercrime Magazine, “and that’s because there are really only two types of attacks: a cyberattack that can exploit a technical vulnerability, and a social engineering attack that exploits the human vulnerabilitythe person.”

That’s not to diminish the importance of appropriate cybersecurity tools. “Given the sheer volume of events that take place within an organization and network,” she explained, “you really do need your tools and technologies to help determine that, and to protect and respond when there are incidents.”

“But the last line of defense, even in a cyberattack, is the person behind the keyboard.”

That’s because for all the investment in security technologies that any company makes, she added, “it just takes one person clicking on one link that bypasses all those technologies in order for an organization to really become crippled.”

Hughes’s seven-year tenure at Northwell Health — the largest healthcare provider in New York state, whose 17,000 doctors serve around 11 million patients per year  — has taught her the importance of establishing and maintaining widespread awareness of cybersecurity issues.

But in an organization with so many moving parts — and so many potential human vulnerabilities — she admits that building that awareness hasn’t been easy, although it is getting better given the high profile of cybersecurity issues in recent years.

“The only real way to effectively combat a social engineering attack is through security awareness and training,” she explained. “But back in the day, no one had heard of cyberattacks or security, and positions like mine didn’t even exist.”

“It did take a lot of time and effort to really create that initial awareness, but what has been very productive is that it’s not as foreign a concept anymore to people as it was a decade ago.”

Building awareness — and keeping it

Mirroring the experience of Northwell Health, businesses across every industry have been investing heavily in security awareness training programs — particularly in recent years, as company boards have followed CISOs’ lead by actively investing in and promoting awareness training.

The market for security awareness training of all types, which includes computer-based training (SACBT) tools, is expected to hit $10 billion annually by 2027, according to Cybersecurity Ventures, particularly as vendors develop novel and entertaining ways of conveying important cybersecurity concepts — and making sure that employees retain what they’ve learned.

The key to a successful security awareness training program, Hughes said, is keeping it alive — and keeping it relatable for all kinds of employees.

Cybersecurity “is everybody’s responsibility, and we try to instill that core value in our workforce,” Hughes said. “We have used different methods of awareness and training that have targeted different audiences, and we use different messages because one size does not fit all.”

“We’ve really had to modify and adjust, and it’s a continuous process,” she continued.

“It requires creativity to make sure that you’re hitting upon the key points in a way that people find relevant to not only their professional life, but also to their personal life — and to make it real, and provide real-life examples and to make them feel part of it.”

As proof positive that SACBT does drive long-term change when done correctly, Hughes said that new hires — who effectively serve as controls in the scenario because they have not had any formal security training — “probably pose the highest risk.”

Those new hires are eager to impress, trying to put their best forward, and still haven’t learned what a legitimate Northwell email looks like — which is why Hughes has directed an extra helping of SACBT to new hires, who undergo extensive training during employee orientation.

“We tell them right at the beginning that we will be conducting a targeted phishing exercise to test their knowledge of what we explained to them during the training,” Hughes said, noting that the training team follows up with new hires within a few weeks, and a month later as well.

“We’re really focused on making sure that they have the appropriate training and tools to make sure they’re not susceptible to becoming a victim of a phishing attack,” she explained.

“We try to build security awareness and training into everybody’s DNA, and into the culture, so that it just becomes second nature to them — and it’s something they don’t have to really think about.”

“It’s just something that they do, and it’s always in the back of their head whenever they’re doing anything online.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.